Verifying using hirsute: # uname -r 5.11.0-1014-kvm
# grep CODENAME /etc/os-release VERSION_CODENAME=hirsute UBUNTU_CODENAME=hirsute # keyctl list %:.blacklist Can't find 'keyring:.blacklist' Upgraded kernel: # uname -r 5.11.0-1015-kvm # keyctl list %:.blacklist 1 key in keyring: 330780907: ---lswrv 0 0 asymmetric: Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0 In dmesg: [ 0.375674] blacklist: Loading compiled-in revocation X.509 certificates [ 0.376015] Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0' No other blacklist hashes got imported, cause they do not appear in mokvar table nor in MokListRT mirror variable, nor does kvm kernel appear to have platform keyring... which is very odd.... cause UEFI db keys for Microsoft Production PCA 2011 and UEFI CA 2011 are missing. It seems to me that kvm kernel is a bit broken, and doesn't have support for mokvar or .platform keyring, which is very bad. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1928679 Title: Support importing mokx keys into revocation list from the mok table To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
